容器镜像仓库harbor+cosign的安装使用

harbor2.5版本开始支持cosign做镜像签名，本周实践了一下，

ubuntu20.04.4，安装docker，sudo apt install docker.io，

sudo systemctl enable docker，

sudo gpasswd -a ubuntu docker，

newgrp docker，

安装docker-compose，sudo apt install docker-compose，

给harbor起个本地域名，sudo vim /etc/hosts，

10.90.11.120 harbortrivy.com

给harbor创建私钥和证书，

openssl genrsa -out ca.key 4096，

openssl req -x509 -new -nodes -sha512 -days 3650 \

 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbortrivy.com" \

 -key ca.key \

 -out ca.crt，

openssl genrsa -out harbortrivy.com.key 4096，

openssl req -sha512 -new \

   -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbortrivy.com" \

   -key harbortrivy.com.key \

   -out harbortrivy.com.csr，

cat > v3.ext <<-EOF

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names

[alt_names]

DNS.1=harbortrivy.com

DNS.2=harbortrivy

DNS.3=ubuntu

EOF

openssl x509 -req -sha512 -days 3650 \

   -extfile v3.ext \

   -CA ca.crt -CAkey ca.key -CAcreateserial \

   -in harbortrivy.com.csr \

   -out harbortrivy.com.crt，

下载harbor在线安装版本，

wget https://github.com/goharbor/harbor/releases/download/v2.5.0/harbor-online-installer-v2.5.0.tgz，

tar -zxvf harbor-online-installer-v2.5.0.tgz，cd harbor，

修改配置，vim harbor.yml，

hostname: harbortrivy.com

certificate: /home/ubuntu/harbortrivy.com.crt

private_key: /home/ubuntu/harbortrivy.com.key

harbor_admin_password: harbortrivy

安装，指定trivy，notary等参数，

sudo ./install.sh --with-notary --with-trivy --with-chartmuseum，

安装成功后，https登录，admin/harbortrivy，

在docker客户端，需要把harbor的证书弄过来放到docker的目录下，

sudo mkdir -p /etc/docker/certs.d/harbortrivy.com，

sudo cp ca.crt /etc/docker/certs.d/harbortrivy.com，

还需要更新系统的ca证书，

sudo cp ca.crt /usr/local/share/ca-certificates/，

sudo update-ca-certificate，

登录一下，docker login --username=admin harbortrivy.com，

下载cosign程序，

sudo wget https://github.com/sigstore/cosign/releases/download/v1.7.2/cosign-linux-amd64 -O /usr/local/bin/cosign，

sudo chmod +x /usr/local/bin/cosign，

创建签名的公私钥，cosign generate-key-pair，

下载log4j的镜像做实验，

docker pull ghcr.io/christophetd/log4shell-vulnerable-app，

docker tag 248241e9f7fa harbortrivy.com/library/log4shell-vulnerable-app:latest，

docker push harbortrivy.com/library/log4shell-vulnerable-app:latest，

用cosign对log4j镜像做签名，

cosign sign --key cosign.key harbortrivy.com/library/log4shell-vulnerable-app:latest，

用cosign对log4j镜像的签名做验证，

cosign verify --key cosign.pub harbortrivy.com/library/log4shell-vulnerable-app:latest，

同样支持对未签名的镜像限制下载，